HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Non-critical web server security observations & suggestions (Nginx)

LeeHLeeH
edited March 2012 in Feedback

Two Nginx-specific suggestions I have for others, based on the forum launch I'm working on right now:

1) Categories can be accessed directly by ID in addition to name. Not a vulnerability or anything, since categories to which a viewer doesn't have access return a log-in page for guests or a blue "Permission Problem" page for logged-in users, but it still gives nosey folks insight into your forum's structure and can show the presence of hidden forums.

Workaround - deny access to URLs which contain /categories/ followed by a number. For Nginx, this is done with a simple location directive:

location ~* /categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$ {
return 404;
}

2) The /conf directory is by default located inside the webroot, and config.php contains your mysql account name and password. I don't believe the default .htaccess file locks down /conf, and in any case, Nginx doesn't use .htaccess files.

Workaround - deny access to /conf by declaring it internal, which still lets the web server access it but prevents files from being served from that location:

location ^~ /conf/ {
internal;
}

I'll eventually blog my configuration in detail, but wanted to share these two with the community before it slipped my mind!

Best Answer

  • x00x00 MVP
    edited March 2012 Answer ✓

    config as to most files have

    if (!defined('APPLICATION')) exit();

    but not harm in making sure.

    Make sure to set the default 404 to /dashboard/home/filenotfound for consistency sake.

    grep is your friend.

Answers

  • x00x00 MVP
    edited March 2012 Answer ✓

    config as to most files have

    if (!defined('APPLICATION')) exit();

    but not harm in making sure.

    Make sure to set the default 404 to /dashboard/home/filenotfound for consistency sake.

    grep is your friend.

  • LeeHLeeH
    edited March 2012

    Ah, see, I'm php-stupid, so I wasn't sure that's what that line did. Thanks for explaining! :D

    But, still, definitely a good idea to make sure. And, yep, error page consistency is one of those things that makes you look like you are a good site admin and know what you're doing!!

    error_page 404 /dashboard/home/filenotfound;
    error_page 403 =404 /dashboard/home/filenotfound;

    (Yeah, serving a "not found" in place of a "forbidden" kind of violates RFC 2616, but I prefer obscurity over holding up a flag that says "Something interesting is here but you can't see it!!")

Sign In or Register to comment.